Incapsula Names the Site Hackers Used in Major DDoS Attack

A few weeks ago, we told you how hackers used a novel technique to get thousands of online video viewers to unwittingly bombard a B2B website with junk traffic.

Incapsula, a web security firm, said the attack resulted from a persistent cross-site scripting (XSS) vulnerability on one of the biggest and most popular video sites on the web.

Incapsula co-founder Marc Gaffan initially declined to identify the site, saying he wanted to give it time to patch the vulnerability the hackers exploited. All he would acknowledge in early April was that the site ranks among the top 50 websites in the world by traffic based on statistics from Amazon-owned firm Alexa.

That seemed to narrow it down to Youtube.com — the third largest — or Xvideos.com — the 44th largest.

Wrong!

So Who?

It was Sohu.com, China’s eighth largest website and the 27th most visited website in the world. Wait. Who?

"While being relatively unfamiliar to Western audiences, Sohu is a local and global powerhouse. This rapidly growing $2.5 billion organization provides a variety of search and content solutions, including Sohu.TV – the video streaming service that enabled the DDoS attack to occur," Incapsula researchers revealed in a update to an earlier blog post this morning.

Incapsula waited to release the name of the site until it had a chance to fix the hole that let the pain get in — specifically, malicious JavaScript the hackers embedded inside the image icons of the accounts they created. During an interview with CMSWire two weeks ago, Gaffan said "I can’t disclose the domain name in question at this time until the vulnerability is fixed."

Gaffan and his team concede they had second thoughts about the decision to withhold the name of the site.

Our disclosure of this vulnerability received extensive media coverage, which was accompanied by numerous attempts to guess the website’s identity. By far, the most popular assumption was that this story is about YouTube. While we wanted to debunk that rumor, we couldn’t allow ourselves to be drawn into a 'twenty questions' game, which would inevitably provide additional clues to the vulnerable website’s true identity."

Now the vulnerability is patched. So the cat — fox — is out of the bag.

However, Incapsula is still tight-lipped about one piece of information most CMSWire readers would probably like to know: the name of the B2B e-commerce site that was targeted in the attack. All we know is that it was an Incapsula client.

There are a number of possibilities among the clients listed on its website. But I speculated before — and we all know how that turned out. (Where's Blab and its future talk when you need it?)

Excuses, Excuses

In fairness, Sohu.com was a difficult guess. Incapsula had identified the culprit as one of the world's largest video sites, making Youtube.com and Xvideo.com jump out on the Alexa top 50 list.

Sure, Sohu.com is on that list, too, right there between Pinterest.com and Google.co.uk. But the site description is written in Chinese … one more indication that I made the wrong choice selecting German as my second language in high school.

Anatomy of the Hack

Gaffan told CMSWire today that other sites like Sohu.com — innocent by-standers, so to speak — could suffer collateral damage when hackers use them to target other sites. "This attack could have persisted for months or forever, if we hadn't noticed the inverse side of the picture: The traffic that was being generated at our client, the B2B site."

Incapsula researchers Ronen Atias and Ofer Gayer said the DDoS attack was enabled by a Persistent XSS vulnerability that allowed the offender to inject JavaScript code into the <img> tag associated with the profile image. As a result, every time the image was used on one of the the site’s pages (e.g., in the comment section), the malicious code was also embedded inside, waiting to be executed by every future visitor to that page.

The solutions for website operators, Gaffan said, are good coding practices and a web application firewall (WAF), an appliance, server plugin or filter that applies a set of rules to an HTTP conversation and has the ability to secure production applications against attacks.

So what happened in the Sohu.com case? Here is the smoking gun, so to speak:

The Incapsula team played nice.

Once we uncovered the source of the browser-based DDoS attack, and replicated persistent XSS vulnerability that allowed it to occur, we immediately went on to share our findings with Sohu security team. With this information in hand, the Sohu team could quickly evaluate the problem and respond with a rapid patch, which fixed the security hole, rendering this browser-based botnet completely useless."

Sohu.com may or may not be expressing gratitude. I checked the website for a response, but I still haven't mastered Chinese.

And, really, who has time to learn a foreign language when there are so many cute cat videos to watch? Tweet this.

CMSWire is a leading, native digital publication produced by Simpler Media Group, Inc. We provide articles, research and events for sophisticated professionals driving digital customer experience strategy, evolving the digital workplace and creating intelligent information management practices. The CMSWire team produces 450+ authoritative articles per quarter for our 750,000 community members. Join us as a subscriber.